Analyze suspicious Windows executable files with PeStudio

If you install and run new software regularly on your Windows system, you may have come upon programs that you have a bad feeling about.

Maybe because you have downloaded them from a site you cannot trust, maybe because it is a new app that has not been reviewed anywhere yet, or maybe because of what it is supposed to do.

You may scan the executable file locally then and on sites like VirusTotal to find out if it contains malicious code.

Sometimes, you get two, three or four hits on VirusTotal while the remaining antivirus engine report that the file is clean.

Unless major engines are reporting the hits, it is usually false positives but would you risk installing malware based on that?

You could run the program in a sandbox so that it won't affect the underlying system no matter what. Another option is to analyze it with the help of the free PeStudio program.

PeStudio is a free portable program for Windows that you can use to analyze executable files in various ways. It was designed to uncover suspicious patterns, indicators and anomalies that provide you with additional insight about the program's main purpose and whether it is malicious or not.

All you need to do is drag an executable file on the program window after you have started it up to start the analysis.

One of the first things PeStudio does is query VirusTotal to report hits. That's however just one of the things it does and you will notice that it lists more than two dozen checks it performs.

Each check is color coded so that you know on first glance what you should check initially. Green indicates no issues, orange something that you should look into and red the most pressing findings that you should investigate first.

A click on strings may for instance reveal commands, for instance Registry manipulation, used by the program or module names that may reveal information about its function.

Other information that it provides include imported libraries and symbols, the file and DOS header, as well as certificate and resource information.

The indicators listing may be of importance as it lists important information discovered during the scan at the very top. There you may find information about the program's capabilities (e.g. accesses libraries at runtime, creates or modifies files) which can be very useful in your analysis.

It needs to be noted at this point that PeStudio finds indicators and that red or orange color codes do not have to mean that something fishy is going on.

PeStudio comes as a graphical user interface but also as a command line version that you can run right from it.

Verdict

PeStudio is a useful helper program for Windows users who want to analyze executable files before they run them on their system. The integration of VirusTotal is excellent and the remaining options that it provides can give you valuable clues whether a program may potentially be malicious in nature. (via Betanews)

We need your help

Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.

If you like our content, and would like to help, please consider making a contribution:

About Martin Brinkmann

Martin Brinkmann is a journalist from Germany who founded Ghacks Technology News Back in 2005. He is passionate about all things tech and knows the Internet and computers like the back of his hand.You can follow Martin on Facebook or Twitter

PE Studio does NOT crash. Depending on the file you are opening however, it can look like a crash as it can take quite long to analyze the program. You unfortunately don’t get a pretty fake box saying “analysis in progress”. It unfortunately appears to go ‘unresponsive’ as it does its thing. Just wait.

1) Sometimes, PeStudio’s left window displays something in red, but the corresponding entry at the right-hand window has no value flagged in red. So it is not clear which “interesting” value triggered the red alert.

2) When individually scanning certain .exe files (even small ones of 1 MB size), PeStudio’s “Indicators” image tends to hang at “wait …” for 30–90 seconds, even though the results for all other images are finalized. If the user tries to “Close All Images” or “Close Selected Image” while “Indicators” is still at “wait” status, this is when PeStudio crashes & exits.

For larger .exe files (eg. Firefox 35.0 offline installer 38 MB, or Avira Antivirus offline installer 146 MB), the “Indicators” response-time is VERY long (>10 mins). And while the user waits w/o doing anything, PeStudio may or may not suddenly crash. For these 2 examples, PeStudio sometimes crashed & exited, while I was waiting. Even if it didn’t crash, I eventually gave up waiting & clicked “Close All Images” to trigger PeStudio to crash & exit, so that I could get it to stop.

The “Indicators” wait non-responsiveness can be reproduced every single time for the affected .exe files. This is how I can reliably make PeStudio crash as many times as I wish. Hmm, this is even more “crash-happy” than my good ol’ Firefox, which can crash >100 times per month.

Advertisement

About gHacks

Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.